forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcredential_dumping.yml
More file actions
78 lines (76 loc) · 3.44 KB
/
credential_dumping.yml
File metadata and controls
78 lines (76 loc) · 3.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
category:
- Adversary Tactics
channel: ESCU
creation_date: '2018-08-08'
description: Uncover activity consistent with credential dumping, a technique wherein
attackers compromise systems and attempt to obtain and exfiltrate passwords. The
threat actors use these pilfered credentials to further escalate privileges and
spread throughout a target environment. The included searches in this Analytic Story
are designed to identify attempts to credential dumping.
detections:
- detection_id: fb4c31b0-13e8-4155-8aa5-24de4b8d6717
name: Access LSASS Memory for Dump Creation
type: splunk
- detection_id: 67d4dbef-9564-4699-8da8-03a151529edc
name: Create Remote Thread into LSASS
type: splunk
- detection_id: 2c365e57-4414-4540-8dc0-73ab10729996
name: Detect Credential Dumping through LSASS access
type: splunk
- detection_id: 56ef054c-76ef-45f9-af4a-a634695dcd65
name: Unsigned Image Loaded by LSASS
type: splunk
- detection_id: 14038953-e5f2-4daf-acff-5452062baf03
name: Attempted Credential Dump From Registry via Reg.exe
type: splunk
- detection_id: 29e307ba-40af-4ab2-91b2-3c6b392bbba0
name: Detect Mimikatz Using Loaded Images
type: splunk
- detection_id: c2590137-0b08-4985-9ec5-6ae23d92f63d
name: Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass
type: splunk
- detection_id: eb120f5f-b879-4a63-97c1-93352b5df844
name: Creation of Shadow Copy
type: splunk
- detection_id: 2ed8b538-d284-449a-be1d-82ad1dbd186b
name: Creation of Shadow Copy with wmic and powershell
type: splunk
- detection_id: d8c406fe-23d2-45f3-a983-1abe7b83ff3b
name: Credential Dumping via Copy Command from Shadowcopy
type: splunk
- detection_id: c5eac648-fae0-4263-91a6-773df1f4c903
name: Credential Dumping via Symlink to Shadowcopy
type: splunk
id: 854d78bf-d0e2-4f4e-b05c-640905f86d7a
maintainers:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
- company: Splunk
email: pbareiss@splunk.com
name: Patrick Bareiss
modification_date: '2019-12-11'
name: Credential Dumping
narrative: 'Credential dumping—gathering credentials from a target system, often
hashed or encrypted—is a common attack technique. Even though the credentials
may not be in plain text, an attacker can still exfiltrate the data and set to cracking
it offline, on their own systems. The threat actors target a variety of sources
to extract them, including the Security Accounts Manager (SAM), Local Security Authority
(LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\
Once attackers obtain valid credentials, they use them to move throughout a target
network with ease, discovering new systems and identifying assets of interest. Credentials
obtained in this manner typically include those of privileged users, which may provide
access to more sensitive information and system operations.\
The detection searches in this Analytic Story monitor access to the Local Security
Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential
dumping and some other techniques for credential dumping.'
original_authors:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
references:
- https://attack.mitre.org/wiki/Technique/T1003
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
spec_version: 2
usecase: Advanced Threat Detection
version: '2.0'